This is a discussion on Re: [openssl.org #1034] bug report (and fix): PKCS12_parse returns incorrect cert - Openssl ; OK,I'd like to report this as a bug to the IBM ikeyman folks. However,
when I look at PKCS#12 v1
( http://www.rsasecurity.com/rsalabs/node.asp?id=2138 ) I don't see any
discussion of this limitation of the localKeyID field. Is there a newer
spec ...

OK,I'd like to report this as a bug to the IBM ikeyman folks. However,
when I look at PKCS#12 v1
(http://www.rsasecurity.com/rsalabs/node.asp?id=2138) I don't see any
discussion of this limitation of the localKeyID field. Is there a newer
spec I should be looking at?

BTW - the link on your FAQ
Q. Where can I get technical documentation on this stuff?
A. If you want info about my implementation see docs/pk12api.doc and
docs/pkcs12.doc.
Latest PKCS#12 Specification.

gives a 404. (and where can I find docs/pk12api.doc and docs/pkcs12.doc?)

Additionally, I will need to parse such 'broken' files, so will need to
update PKCS12_parse for my own use, to find the first private key and the
cert that matches it, regardless of localKeyID in other certs or the order
or the certs/key. Would you be interested in that update? (It could
change the behaviour of the function for files with multiple key/cert
pairs in it).

That looks like a highly broken PKCS#12 file. The localKeyID attribute
is supposed to be only used between the private key and corresponding
certificate. In that case *every* certificate has a matching localKeyID.